Snapchat’s track record with security has been less than stellar these past few weeks. The popular pic-snapping and sharing app recently added what seemed like a clever human verification tool to prevent the creation of bot accounts made to harvest user information. Not long after Snapchat put the measure into place however, an independent coder broke it in less than half an hour.
This new security measure comes at the heels of a massive data leak, in which greyhat (chaotic neutral, essentially) hackers exposed partial phone numbers of 4.5 million users after Snapchat neglected to take a known exploit seriously.
Hacker collective Gibson Security contacted Snapchat about an exploit (a piece of software with the ability to break security measures) that would allow for a script to associate phone numbers with user profile names, display names and profile privacy. Gibson warned of another exploit allowing a hacker to bulk register thousands of accounts. While Snapchat admitted to a theoretical vulnerability, it neglected to do anything about it.
The risk turned out to be far more than theoretical, however, as Gibson Security’s disclosure showed that by abusing Snapchat’s friend finder feature, a hacker with a fast connection could obtain 10 thousand user phone numbers in seven minutes.
While Snapchat has since begun allowing users to opt out of the “Find Friends” feature, its security woes are yet to be quelled. An easily broken anti-bot measure and no confirmed solution leave the app’s security looking like Swiss cheese for the moment.
Snapchat gets at least partial kudos for proper handling of the situation, however, as it now allows users to unlink their personal phone numbers from their accounts. Users concerned about their privacy are encouraged to do so, at least until Snapchat’s security overhaul is complete.